Notepad++ Compromise: Unveiling the Chrysalis Backdoor and Advanced Attack Techniques
In a recent cybersecurity incident, the Chinese Advanced Persistent Threat (APT) group known as Lotus Blossom, or Billbug, orchestrated a sophisticated attack targeting the widely used text editor, Notepad++. This operation led to the deployment of a custom backdoor named Chrysalis, primarily affecting sectors such as government, telecommunications, aviation, and critical infrastructure across Southeast Asia and Central America.
Attack Overview
The breach was first identified when a malicious file, `update.exe`, was executed following the legitimate use of Notepad++’s updater, `GUP.exe`. This file was downloaded from a suspicious IP address (95.179.213.0), raising immediate red flags among security researchers. Upon execution, `update.exe` created a hidden directory within the `%AppData%` folder named Bluetooth, where it deposited several files, including `BluetoothService.exe` and `log.dll`.
Chrysalis Backdoor Details
The `BluetoothService.exe` file, a renamed legitimate Bitdefender Submission Wizard binary, was exploited to perform DLL sideloading. This technique forced the loading of the malicious `log.dll` instead of the genuine library. Once loaded, `log.dll` decrypted and executed the Chrysalis backdoor, a sophisticated implant designed for long-term persistence.
Chrysalis employs several advanced evasion techniques:
– Custom Encryption: Utilizes a linear congruential generator for decryption, avoiding standard cryptographic APIs to evade detection.
– API Hashing: Resolves necessary Windows APIs using a custom hashing algorithm, complicating static analysis and antivirus detection.
– Command and Control Communication: Communicates with its C2 server (`api.skycloudcenter.com`) over HTTPS, mimicking legitimate AI-related network traffic to blend in.
The backdoor supports 16 different commands, including:
– Interactive Shell: Spawning a reverse shell via `cmd.exe`.
– File Operations: Reading, writing, deleting files, and enumerating directory contents.
– Process Execution: Launching remote processes.
– Self-Removal: A cleanup mode that removes persistence artifacts and deletes the malware from the disk.
Advanced Loading Techniques
Beyond Chrysalis, researchers discovered a loader variant (`ConsoleApplication2.exe`) that leverages Microsoft Warbird, a complex code protection framework, to conceal its execution flow. This loader abuses the `NtQuerySystemInformation` system call with the undocumented `SystemCodeFlowTransition` (0xB9) class. By copying encrypted data into the memory of a Microsoft-signed binary (`clipc.dll`) and invoking this specific system call, the loader triggers the Warbird mechanism to decrypt and execute the shellcode in the kernel context. This technique effectively bypasses user-mode hooks and standard Endpoint Detection and Response (EDR) monitoring, marking a significant evolution in Billbug’s tradecraft.
Attribution and Implications
The campaign is attributed to Lotus Blossom with moderate confidence, based on the specific use of the Bitdefender sideloading technique and shared cryptographic keys found in the Cobalt Strike beacons deployed alongside Chrysalis. This incident underscores the increasing sophistication of state-sponsored cyber operations and the critical need for robust cybersecurity measures to protect against such advanced threats.
